[keycloak-dev] Token's issuedAt value is the same as value of NotBeforePolicy
Marek Posolda
mposolda at redhat.com
Tue Apr 9 07:50:48 EDT 2019
On 09/04/2019 13:47, Marek Posolda wrote:
> My vote is to go with (2). It may turn to be more work as it needs to
> check all the adapters (node.js, maybe also gatekeeper etc).
>
> But strictly said, if not-before is set for example to 10:0000, then
> my understanding of not-before semantics is to check that: token is
> valid if it was issued not before 10:00:00 .
> Which translates to: token is valid if it was wasn't issued before
> 10:00:00 .
Sorry, that sentence should be: token is valid if it wasn't issued
before 10:00:00 :)
>
> In other words, if not-before is 10:00:00 then token issued at 9:59:59
> shouldn't be valid, but token issued at 10:00:00 should be valid IMO.
>
> Marek
>
> On 09/04/2019 09:21, Michal Hajas wrote:
>> Hi,
>>
>> I found out that when you do logout-all (in this step realm.notBefore
>> value
>> is set) and subsequent login very quickly it may happen that Keycloak
>> returns tokens with an issuedAt value which is the same as the value
>> of the
>> NotBeforePolicy.
>>
>> Such tokens are considered invalid in adapter due to this check [1].
>>
>> My question is, should we prevent such state? If yes what is correct
>> behavior?
>>
>> 1. Do not generate tokens with the same issuedAt value as NotBefore
>> policy.
>> For example, in TokenManager [2] check NotBefore value and change
>> issuedAt for all tokens to (NotBefore + 1) in case they are same.
>>
>> or
>>
>> 2. Change condition [2]:
>> .... && this.token.getIssuedAt() > deployment.getNotBefore();
>> to:
>> .... && this.token.getIssuedAt() >= deployment.getNotBefore();
>>
>> The later will probably require to also check other non-java adapters
>> whether such check is present or not.
>>
>> Best regards,
>> Michal
>>
>> [1]
>> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/RefreshableKeycloakSecurityContext.java#L79
>>
>>
>> [2]
>> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L796
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
More information about the keycloak-dev
mailing list